I’m probably going to go a bit over my head here in exploring whether hospitals or health systems can really securely deploy iPads (or any mobile Apple devices) as enterprise devices. This is obviously relevant. I’ve heard from multiple vendors that providers are asking about iPad versions of web applications.

I’ve also read about mobile device management (MDM) several times in the last several weeks, first with the new Voalte-MDM partnership and second with the recent VA RFI. And just this week, I’ve had several discussions about the challenges of actually deploying tablets — specifically iPads — as enterprise devices.

I like my iPad. It’s a great tool for clinicians for both data access and order entry. I’m not as concerned as most in healthcare about security. I’ve seen such blatant HIPAA security violations that I can’t imagine that having access to PHI or other sensitive information over mobile — as long as the mobile device isn’t storing the data locally — would make it any worse.

Maybe the reasons I’ve seen so many violations are that I know a lot of medical students and residents. I’m not really sure though as I’ve seen other violations from academic and community docs, especially in the spirit of research. Some examples include leaving paper medical records in public or semi-public places (including on printers at libraries), e-mailing charts or reports over Gmail (university e-mail is just not user friendly) to provider friends and family to fax or scan, and text messaging patient information (this seems like a daily thing.)

These things happen all the time, at least in my experience, so I come to the HIPAA discussion with low expectations. Maybe some providers are more cognizant than others, but I think most just do what needs to be done to get their work done. If a provider needs to reach a colleague and ask a question involving PHI, SMS might be the easiest process and that’s likely what will be used, despite the insecurity of SMS.

With that in mind, I went out to see what options existed for securing an iPad. Little did I know (and maybe I should have) that the Apple Push Notification Service supports third-party MDM services. The way it works (shown below), is that MDM vendors can use Apple Push to poll and modify managed devices at any time.

The Apple Push Service supports several key restrictions on devices (the full list is more extensive than this) with its messaging:

Installing/Removing apps

In-app purchases

Safari/iTunes/YouTube access

Passcode requirements

Account setup (Wifi, email. VPN, etc)

Device info (network, MAC, UDID, build version, etc)

Remote Lock

Remote Wipe

Clear Passcode

To do any of this with an iPad or an iPhone, you’ll need more than Apple Push, because that’s only the connectivity component. You’ll need an MDM server, which is exactly what the VA is looking for with its RFI. The VA is looking for an MDM solution that can support up to 100,000 devices running across all of its facilities. This will be a national solution. The RFI does not specify a mobile platform, instead stating it will test Windows, Android, and the iPad.

The only MDM vendors that I’ve heard of are Good Technology and AirWatch, the vendor that recently partnered with Voalte. These device management solutions support all of the configuration options that Apple supports and make it easy to manage lots of mobile devices across an enterprise regardless of mobile operating system.

The next big question is whether a health system would support a bring-your-own-device (BYOD) strategy. I know providers would love it and both AirWatch and Good Technology support it by providing specific security around certain apps. I’m not sure the app restrictions on a provider-owned device are adequate for a health device. Well, I think they are enough, but I’m not liable if something happens, so I’m not sure I’d have the same opinion if I was potentially personally liable.

Are iPads really secure using an MDM server with Apple’s Push Notification Service? Compared to the way I see security now, I’d say yes, but I’m sure some CTOs and technology folks would disagree. The issues with security are and will always be human issues. Providing access to sensitive data over mobile won’t change that.

What is the VA and other systems likely to do, at least if you assume mobile is coming? I’d be very curious to hear what CIOs have to say to that. I know John Halamka, MD, is a big fan of mobile and has written on how to deploy mobile in a health system. He was also featured at a recent Apple event, if I recall correctly.

My bet is that systems like the VA will end up purchasing a certain number of tablets for employed physicians, which is a growing percentage of physicians, and provide limited support for affiliated physician groups.

But this is only related to health systems. Independent community docs will be using their own iPads and iPhones with Practice Fusion and drchrono and others, likely without any major security platform installed.

Having researched a number of MDM systems, I think MobileIron has the edge over most systems. The real problem isn’t iPads, it’s supporting iPads, iPhones, multiple versions of Android devices and any other mobile widget that a takes a clinicians fancy.
I believe we are moving rapidly towards a Bring Your Own Device environment where hospitals will find theirselves challenged with securing multiple device types simultaneously.

Brian

The only reason we have BYOD is because no one has made good Enterprise software for the iPad yet. It is just a symptom of the fact that Android and iOS are light years ahead of Microsoft in usability. Microsoft, and all the first generation EMRs built on the platform, have really failed us. When my difficult airway patient was crashing and the sats were dropping, I tried to log in (control alt delete) only to learn I had unused icons on my desktop and my virus definitions were out of date! For the work we do, we deserve better. I think it’s coming. When it does, I want my administrators to hand me an iPad (one eighteenth the cost of a PC workstation) already loaded and ready to go. They can lock it down, wipe it if lost, or do whatever they want. But it should come from the hospital so I can leave it and all the MRSA there. I never expected to bring my own PC to work. Microsoft PCs have simply failed to innovate and now they are at the end of an era and I say good riddance.